The main feature of One Identity Manager is to map employees together with the master data and permissions available to them in different target systems. To achieve this, information about user accounts and permissions can be read from the target system into the One Identity Manager database and linked to employees. This provides an overview of the permissions for each employees in all of the connected target systems. One Identity Manager offers the option of managing user accounts and their permissions. You can provision modifications in the target systems. Employees are supplied with the necessary permissions in the connected target systems according to their function in the company. Regular synchronization keeps data consistent between target systems and the One Identity Manager database.
Because requirements vary between companies, One Identity Manager offers different methods for supplying user accounts to employees. One Identity Manager supports the following method for linking employees and their user accounts.
- Employees can automatically obtain their user accounts through One Identity Manager account definitions.
- When user accounts are inserted in One Identity Manager, they can be automatically assigned to an existing employee or a new employee can be created if necessary.
- Employee and user account data in One Identity Manager can be manually entered and assigned to each other.
The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type.
Requirements for user account administration might be, for example:
Target system type Active Directory with Microsoft Exchange
- In domain A, a user account should be automatically created for each internal employee. The information for the container and home server are based on the department and the location of the person. Each user account in the domain is automatically allocated a Microsoft Exchange mailbox.
- In domain B, the user accounts are administrated independently of the employee data. Microsoft Exchange mailboxes can only be allocated by requesting them in the IT shop.
Target system type IBM Notes
- All members of the sales department are automatically allocated an IBM Notes mailbox. Members of other departments can request an IBM Notes mailbox. The attributes of the IBM Notes mailbox are determined depending on the member’s department.
Target system type SAP R/3
- All members of the personnel department are automatically allocated a user account in an SAP Client 101.
- The members of the purchasing department are automatically allocated a user account in the SAP Client 102 the moment they are assigned the appropriate role.
- The user accounts for the SAP Client 103 are allocated exclusively through a request process.
One Identity Manager uses different mechanisms to assign user accounts to employees.
Initial assignment of user accounts
The user accounts are initially read into One Identity Manager from a target system through synchronization. In doing so, the existing employees can automatically be assigned to the user accounts. New employees can be created and assigned to user accounts if necessary. The criteria for these automatic assignments are defined on a company-specific basis. The extent of the attributes an employee inherits on their user account through account definitions can be changed after checking the user accounts. The loss of user accounts through system changes can therefore be avoided. User account verification can be carried out manually or by using scripts.
Assigning user accounts during work hours
One Identity Manager uses special account definitions for allocating user accounts to employees during working hours. Account definitions can be created for each target system of the appointed target system type, for example, the different domains of an Active Directory environment or the individual clients of an SAP R/3 system. A priority is applied to the account definitions in order to ensure that a Microsoft Exchange mailbox, for instance, is only created when an Active Directory user account is available.
An employee can obtain a user account though the integrated inheritance mechanism by either direct assignment of account definitions to an employee, or by assignment of account definitions to departments, cost centers, locations, or business roles. All company employees can be allocated special account definitions independent of their affiliation to the departments, cost centers, locations, or business roles. It is possible to assign account definitions to the One Identity Manager as requestable items in the IT Shop. A department manager can then request user accounts from the Web Portal for his staff.
Treatment of user accounts and personal data during disabling
The handling of personal data, particularly during long-term or temporary absence of an employee, is dealt with differently in each company. Some companies never delete personal data, but just disabled it when the person leaves the company. Other companies delete the personal data but only after they are sure that all the user accounts have been deleted.
The requirements of a company’s user administration are often different not only in the existing target system types, but also in the individual target systems of a target system type. Even within a target system, there may be different rules for different user groups. For example, different rules for allocating user accounts can apply in the individual domains within an Active Directory environment.
A requirement could look like the following, for example:
- In domain A, user accounts are administrated independently of employee data.
- In domain B, user accounts are linked to an employee. However, employee master data should not be transferred to the user accounts.
- In domain C, a user account is automatically created for each internal employee. The information for the container, home server, and profile server are based on the employee's department and location.
In order to fulfill the individual requirements of user administration, users can be divided into categories:
The following visual is designed to make user account transitions clearer. The default mechanisms integrated in One Identity Manager about employee and user account administration are shown.
Figure 1: Transition States for a User Account
Manually adding a user account
- Case 1: In order to manage a user account independently from employee data, the user account is added manually and is not assigned to an employee. The user account is not linked to an employee and therefore has the Unlinked state.
- Case 2: If the user account is already linked to an employee when inserted manually, the user account changes its state to Linked.
Case 3: If an employee is already assigned when the user account is added and an account definition is assigned at the same time, the user account changes its state to Linked configured. Depending on the manage level used, the state of the user account becomes Linked configured: Unmanaged or Linked configured: Full managed.
Editing an existing user account
- Case 4: If an existing user account is manually assigned to an employee, the user account changes its state from Unlinked to Linked.
- Case 5: If an existing user account is manually assigned to an employee and an account definition is assigned at the same time, the user account changes its state from Unlinked to Linked configured. Depending on the manage level used, the state becomes Linked configured: Unmanaged or Linked configured: Full managed.
- Case 6: When One Identity Manager goes live, you can create IT Shop requests for existing user accounts, which are linked with employees (Linked state). This assigns an account definition and the user account changes its state to Linked configured. Depending on the manage level used, the state becomes Linked configured: Unmanaged or Linked configured: Full managed.
Changing the manage level
- Cases 7 and 8: By changing the manage level, an existing user account can change its state from Linked configured: Unmanaged to Linked configured: Full managed and vice versa. The manage level can only be changed for user accounts that are associated with an employee.
Removing employee assignments
- Case 9: By deleting the employee entry in a linked user account (Linked), the user account changes its state to Unlinked.
NOTE: The employee entry cannot be removed from user accounts with a state of Linked configured as long as the employee owns an account definition. Removing an employee's account definition results immediately in deleting the user accounts.
Handling user accounts during synchronization
- Case 10: When a database is synchronized with a target system, the user accounts are always added without an associated employee and therefore, have an initial state of Unlinked. An employee can be assigned afterwards. This can be done manually or through automated employee assignment using process handling.
Assigning employees automatically to existing user accounts
- Case 11: One Identity Manager can automatically assign employees to user accounts in an Unlinked state. If the target system is assigned an account definition, this account definition is automatically assigned to the employees. Depending on the manage level used, the state becomes Linked configured: Unmanaged or Linked configured: Full managed. Automatic employee assignment can follow on from adding or updating user accounts through synchronization or through manually adding a user account. For more information, see Automatic assignment of employees to user accounts.
Automatically creating user account through account definitions
- Case 12: Account definitions are implemented to automatically assign user accounts to employees during normal working hours. If an employee does not have a user account in the target system, a new user account is created. This is done by assigning account definitions to an employee using the integrated inheritance mechanism followed by process handling. The manage level is modified to suit the default manage level and the user account has the Linked configured state. Depending on the manage level used, the state becomes Linked configured: Unmanaged or Linked configured: Full managed. For more information, see Account definitions and manage levels.
One Identity Manager has account definitions for automatically allocating user accounts to employees during working hours. You can create account definitions for every target system. If an employee does not yet have a user account in a target system, a new user account is created. This is done by assigning account definitions to an employee.
The data for the user accounts in the respective target system comes from the basic employee data. The employee must own a central user account. The assignment of the IT operating data to the employee’s user account is controlled through the primary assignment of the employee to a location, a department, a cost center, or a business role (template processing). Processing is done through templates. There are predefined templates for determining the data required for user accounts included in the default installation. You can customize templates as required.